Context Navigation

Experiment 3: Handling Intrusion with Ryu Controller

Overview

In this experiment, we will use the Ryu controller to handle intrusion traffic. The system is the same as the one used in Experiment 2, where we use a RINA distributed application to get the intrusion detection results from the VNFs (i.e., Snort) as well as the load of the VNFs. When an intrusion is detected by VNFs, its information will be passed to the Ryu controller via the RINA distributed application, and then the Ryu controller will block the intrusion traffic by updating the OpenFlow rules on the OVS switch.

We use the same PI control for load balancing as in Experiment 2, and you can find details about the PI control there.

(2) PI Controller

(3) PI-based Ryu Controller

Note: You can see in "nfv.config" that the information of the intrusion traffic is located in the file /tmp/attacker.txt on the controller VM, which is outputted by the RINA distributed application. Make sure the file is empty each time you run this experiment.

Note: exit from previous instances of snort if they are still running from earlier experiments before you run this instance of snort.

Note: this command is different from Experiment 2, where the file /etc/snort/snort.conf specifies which rule files to load.

When Snort detects intrusion traffic, it will save the alert messages into the file /var/log/snort/alert. The RINA distributed application keeps reading this alert file, and pass any intrusion information to the Ryu controller which will block the intrusion traffic.

Note: If you want to re-run this experiment, make sure to remove both files: /var/log/snort/alert on both VNF nodes, and /tmp/attacker.txt on the controller node.

(5) Generate Regular and Intrusion Traffic

In a separate window for destination, start the netcat server by running:

nc -u -l 5000

In another separate window for s1, start the netcat client by running:

nc -u destination 5000

Type something on the s1 window and you should see it on the destination window.

In another separate window for s1, we will generate attack traffic, which in our case are ICMP messages. To send ICMP messages to the destination, run the following ping command:

ping destination

The first few ping messages are able to reach destination since it takes some time for the controller to get the intrusion detection results from the VNFs via the RINA distributed application, but after a few seconds, all following ping messages will not be able to reach the destination, and you should see the following output:

Type something on the s1 window for netcat and you should NOT see it on the destination window. If you go to the controller window which runs the Ryu controller, you can see that all traffic from the attacker is dropped with the following output:

Restart the netcat server on the destination by running:

nc -u -l 5000

In another separate window for s2, start the netcat client by running:

nc -u destination 5000

Notice that using the netcat client side on s2, all messages are able to reach the destination since s2 traffic is not blocked. However, no traffic from s1 reaches the destination since s1 is blocked.